In 2025, organizations face a cybersecurity landscape marked by rapidly evolving threats, increased regulatory scrutiny, and heightened expectations for proactive measures. Cybersecurity is not just an IT concern. Organizations must mitigate against widespread enterprise risk through a comprehensive approach that considers the legal, technical and operational concerns posed by cyber incidents. Preventative cybersecurity safeguards are essential for protecting against liability, reputational risk, regulatory non-compliance, and data loss.
This article explores four key themes that should be top of mind for decision-makers navigating the cybersecurity landscape in 2025.
1. The evolving cyber threat landscape
The cybersecurity threat landscape is constantly changing. Alongside a rising frequency of cyber incidents, cybercriminals are leveraging rapidly advancing technology to develop more sophisticated attack methods. New developments include AI-driven phishing schemes, ransomware-as-a-service models, and targeted attacks on supply chains.
AI is a highly effective tool for facilitating fraud and infiltrating an organization’s IT environment. The rise of generative AI has enabled attackers to craft highly convincing schemes, including phishing emails that evade traditional detection systems, more sophisticated malware and realistic methods of impersonation.
Ransomware continues to dominate headlines, with ransomware-as-a-service (RaaS) making it easier for less skilled actors to execute attacks. Ransomware developers sell their code and information about system vulnerabilities to other hackers, known as "affiliates." These affiliates then use the code to deploy their own attacks. The RaaS model mirrors the software-as-a-service (SaaS) model, enabling ransomware developers to profit and spread their malware more efficiently and identify new victims with less effort. These ransomware incidents often result in operational shutdowns, data theft, and significant financial losses.
Even where companies have a strong cybersecurity program in place, the integration of third-party vendors into organizational ecosystems has introduced new vulnerabilities, since a cyberattack on a vendor can affect the organization. These incidents present significant data exfiltration and public relations risks.
Companies should also be mindful of incidents that may arise from other sources, such as sending emails containing sensitive or personal information to the wrong recipients, mailing data through regular post, losing hardware, or having unencrypted data or unsecured office areas. Many incidents occur inadvertently or by accident.
2. Proactive cybersecurity measures
A wide range of policies and procedures can enhance a company’s cybersecurity posture and better manage risks. These measures fall into two broad categories: preventive actions and incident response planning.
First, preventive actions include adopting advanced threat detection and response techniques, such as endpoint detection and response (EDR) solutions, security information and event management (SIEM) systems, and threat intelligence platforms. These technologies can provide real-time visibility into the organization’s security posture, enabling rapid detection and response to potential threats. Organizations should also consider implementing robust cybersecurity frameworks, such as NIST’s Cybersecurity Framework or ISO/IEC 27001, tailored to the organization’s unique risk profile. Regularly updating and patching systems to address vulnerabilities is crucial.
Furthermore, organizations should develop and maintain a comprehensive cybersecurity policy that clearly defines the roles and responsibilities of employees, contractors, and third-party vendors. This policy should be regularly reviewed and updated to reflect changes in the threat landscape and regulatory requirements.
An important component of these preventative actions is understanding the risks that any third party, such as contractors, vendors, or software services, may pose to the company’s network. The moment any third party is integrated into a network or receives data for which you are responsible, a new cybersecurity risk is introduced, as the vendor may themselves fall victim to an incident. Agreements with third-party vendors should generally include explicit breach notification obligations and data protection requirements related to encryption and document retention. A more tailored contractual and monitoring approach should be employed for high-risk engagements. Conducting thorough security assessments of third-party vendors and enforcing supply chain security audits can mitigate risks from external partners. Additionally, companies should be prepared to take action and respond appropriately if a vendor informs them of a breach that could impact them or their customers.
Fostering a culture of cybersecurity awareness among employees is also crucial. Regular training sessions and awareness programs can help employees recognize and respond to potential threats, such as phishing emails and social engineering attacks, and make informed cyber choices, such as secure password management. By empowering employees to act as the first line of defense, organizations can reduce the risk of successful cyber attacks.
Secondly, an effective incident response plan (IRP) is critical for minimizing the impact of a cybersecurity incident. Organizations should develop clear procedures for detecting and containing incidents, responding to the legal and regulatory risks created by an incident, and addressing communications with affected individuals, employees, regulators, the media and the public. This strategy should include input from various teams, such as IT, privacy, legal, and communications.
Conducting regular simulations of cybersecurity incidents and tabletop exercises to test the IRP also ensures that the organization is prepared for real-world scenarios. Tabletops enable companies to realistically assess their incident readiness, identify areas for improvement and break down communication silos.
3. Regulatory compliance
The regulatory landscape for cybersecurity is becoming increasingly complex. Organizations must navigate a patchwork of requirements, including mandatory breach notification laws, stakeholder communication obligations, and harm mitigation standards.
In Canada, the privacy landscape is shaped by several key instruments that impact cybersecurity practices. For instance, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to report breaches that pose a “real risk of significant harm.” Provincial legislation may require similar or additional reporting and notification obligations.
For example, Quebec’s Act respecting the protection of personal information in the private sector (PPIPS) now imposes mandatory breach reporting for confidentiality incidents, which are defined as incidents that involve unauthorized access, use, communication, or loss of personal information. In the event of such an incident, organizations must first assess the risk based on the sensitivity and potential misuse of the information. If there is a possibility of serious harm, they must notify both the Quebec privacy commissioner and affected individuals. Organizations are also required to appoint a privacy officer, conduct privacy impact assessments and maintain a register of all incidents. These regulations underscore the importance of a comprehensive approach to privacy and cybersecurity, ensuring that organizations not only protect sensitive data but also comply with legal obligations.
New industry-specific obligations and standards for data protection and cyber preparedness are emerging, particularly in the financial services and payments sectors. For instance, financial regulators like the Office of the Superintendent of Financial Institutions require reports within 24 hours of an incident and regular updates. Companies should also note that the new Retail Payments Activities Act (RPAA) mandates registered payment service providers (PSPs) to report incidents with a 'material impact' to the Bank of Canada and the affected parties without delay, which is defined in guidance as no later than 24 hours after determining the incident is material. Additionally, this law will require PSPs to establish a risk management and incident response framework, with detailed requirements for the incident response plan outlined in regulations. These requirements will come into force in September 2025.
Organizations should work alongside a dedicated compliance team that is well-versed in company policies and practices. A compliance team can collaborate with legal counsel and conduct regular internal audits and assessments. Audits can identify and address compliance gaps, such as information retention and deletion of data and handling of internal records. By conducting these audits, organizations can proactively pinpoint areas for improvement and implement corrective actions before regulatory authorities intervene.
4. Preserving privilege if a cybersecurity incident occurs
Involving legal counsel promptly during a cybersecurity incident ensures that the organization’s response is informed by an understanding of regulatory obligations and litigation risk. Counsel can provide legal advice to guide the organization in fulfilling breach notification and other regulatory requirements, and advise on communications with regulators, stakeholders, affected individuals and the public.
Engaging legal counsel promptly also enables a claim that the organization’s investigation and response to the incident is privileged. Recent case law, including LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194, underscores the scope and limits of legal privilege in the context of cybersecurity incidents.
In LifeLabs, an organization experienced a significant data breach where cyber attackers accessed the personal health information of millions of Canadians. Following the breach, the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia conducted a joint investigation. During this investigation, LifeLabs claimed legal privilege over certain documents, including the investigation report prepared by the cybersecurity firm hired to investigate the incident, correspondence between the cyber intelligence firm and the threat actors, and internal data analysis describing which individuals’ health information was affected by the breach.
In 2024, the Ontario Superior Court of Justice ruled that none of the material at issue was privileged, emphasizing that not all communications and reports generated during a cyber incident response are protected by solicitor-client or litigation privilege. The Court held that solicitor-client privilege does not protect factual information simply because the facts were included in documents prepared by or for legal counsel. The privilege is intended to protect legal advice, not the underlying facts. Further, the Court held that litigation privilege protects only documents or communications created for the dominant purpose of litigation and does not cover underlying facts that must be disclosed under statutory requirements. The LifeLabs case underscores the nuanced boundaries of legal privilege in the context of regulatory investigations and shows the limits of legal privilege in this context.
Invest in proactive, comprehensive strategies
The cybersecurity landscape in 2025 demands proactive, comprehensive strategies that address evolving threats, regulatory changes, and operational challenges. By investing in proactive measures and engaging expert guidance, organizations can fortify their defenses and navigate the complexities of modern cybersecurity with confidence.
***
Christopher DiMatteo is a Blakes Partner in Toronto. He litigates complex commercial matters and specializes in the areas of privacy, cybersecurity, and constitutional and public law. He has represented clients at all levels of court in Ontario, the Federal Court, and the courts of Saskatchewan and Nova Scotia, in arbitration proceedings, and in the Supreme Court of Canada.
***
Liliane Langevin is an Associate at Blakes, working from the Ottawa and Montréal offices. Her cybersecurity practice spans the entire breach lifecycle, from incident response, regulatory notifications, crisis communications to proactive cyber risk assessment. She also maintains a regulatory practice in the Technology group, with a focus on communications law, payments, FinTech and artificial intelligence.
***
Eline Collard is a Staff Lawyer in the Technology group at Blakes. She specializes in intellectual property and cybersecurity, handling copyright and trademark matters, pre-breach and incident response, crisis communications, data analytics, and regulatory compliance. She also has experience in due diligence and drafting documents and agreements for corporate, commercial, and regulatory matters in the technology sector.